First Base Technologies

Contact Us
Phone 01273 454525
email

PCI DSS Penetration Testing



If you are new to PCI, then check out our PCI DSS information page here.


PCI DSS Penetration Testing Information

Many organisations do not realise that PCI DSS Requirements 6.6 and 11.3 call for penetration testing - over and above the external and internal vulnerability assessments required by PCI DSS Requirement 11.2.

The table below shows what PCI DSS Requirements 6.6 and 11.3 specify as to what needs testing and when. Our existing penetration testing services map on to your PCI DSS requirements exactly, so each test type in the table below links to the relevant testing page on our website.


Test Type Frequency ASV/QSA Required? Location
Web Application Test Annual No Remote
External Penetration Test Annual No Remote
Internal Penetration Test Annual No On Site

Our web application tests comply with PCI DSS Requirement 6.6 "Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes".

Our external and internal penetration tests comply with PCI DSS Requirement 11.3 "Penetration testing should include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.".

Our primary deliverable is a report - tailored to your requirements, it will inform you of the vulnerabilities and the solutions, so you can address these before insiders or hackers do.


Hover over each segment of the diagram below to read about each stage of the testing process.

We also undertake:

  • PCI DSS Consultancy: We have now undertaken PCI consultancy work for many clients and for a variety of reasons. Some, because clients are uncertain about the requirements and the scope of work they need to do in order to obtain or maintain compliance with PCI DSS. Others, because clients are unsure how to implement the technologies required by the standard, such as encryption key management. Our in-depth knowledge of the standard itself, and of the various technologies, can also help to reduce the headaches that can be caused by the PCI DSS compliance process. Another aspect of the PCI consultancy services we offer is outlined below...
  • Analysis of Reports & False Positives: We are often approached by clients who simply do not understand the varied reports that are produced by PCI scanning vendors and need help interpreting the findings. In addition, we are often called upon to verify results produced by PCI Scanning Vendors which indicate a client is non-PCI compliant. In some cases we have found that in fact the results that led to a verdict of non-compliance were false-positives (which we determine by specifically testing the "offending" site or system for that supposed vulnerability). This can enable the client to go back to their scanning vendor and argue the case for false-positives, which can result in the scanning vendor properly verifying the results, finding that they agree with us, and changing the PCI scan results to compliant! So you see, even if you don't use us for testing - and most people end up using us - then we can help!
  • PCI ASV Testing: We recommend QualysGuard PCI for ASV Testing. It has the lowest rate of false-positives we have seen so far and we can put you in touch with our representative at Qualys to ensure you obtain the service you require. Please click here for more information about QualysGuard PCI.
More Information

You can read our article about the PCI DSS Standard here

Visit the actual PCI web site here

See what our clients say about us here





Contact Us
+44 (0)1273 45 45 25

CREST


ISO 27001


ISO 9001


CREST Cyber Essentials

E&OE
© 2001-2015 First Base Technologies LLP - All Rights Reserved.
First Base Technologies LLP is a limited liability partnership registered in England & Wales, number: OC352070
Website designed and mastered by
didilogix


W3 Org says this page is HTML 4.01 compliant